Date: Mon, 8 Dec 2003 17:48:04 +0100 From: jan.muenther@nruns.com To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs Message-ID: <20031208164804.GA92121@ergo.nruns.com> In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <Pine.GSO.4.58.0312081045300.15156@mail.ilrt.bris.ac.uk> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Sure, unless you're running an Orange book A level system it's > impossible to secure anything. But that's a rhetorical argument. I guess you misunderstood me here. I wasn't arguing that any system can be broken into - true, but not the point here - but that it's possible to do it without getting noticed, even if you run Tripwire or a similar product. > We're talking about filesystems here. Well, okay - if we focus on that point alone, Tripwire surely does a good job. I was just opposing the apodictic statement that it's impossible to break into a system without Tripwire triggering an alert. I wasn't saying that it's superfluous to run, just that you shouldn't neglect all other possible and necessary security measures around it. Again, don't get wrong, I'm not one of the bigots who likes to slag off any security safeguard by saying it can be circumvented. All I was stating is that even when you have all that in place, you should still stick to best practices in every other regard. > > Apart from that, there are even tools (LKM based) which spoof MD5 checksums. > Wouldn't effect tripwire. In addition to MD5 you'd need to spoof > snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to > spoof them for, at a minimum, the tripwire binary and its database > file(s). Guess that depends on the Tripwire version, too... see http://www.phrack.com/show.php?p=43&a=14 Cheers, J.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208164804.GA92121>